hello all -
I've run into some trouble using the request_header_access directive
with an external acl. A snippet of my config file is below:
-----
external_acl_type check_clientcert children=1 concurrency=0 ttl=3
negative_ttl=3 %USER_CERT_CN /etc/squid3/helper.pl
acl matches-clienttest-cert-name external check_clientcert
clienttest-cert-name
#http_access allow matches-clienttest-cert-name
#http_access deny all
request_header_access User-Agent deny matches-clienttest-cert-name
------
If i uncomment the http_access lines, i am only granted access if i
present the correct client certificate, so the external acl seems to be
configured correctly. I also see lines like
-----
2009/03/11 14:12:54.243| helperDispatch: Request sent to
check_clientcert #1, 14 bytes
2009/03/11 14:12:54.243| helperSubmit: - clienttest-cert-name
-----
in the output of squid -X. However, when I run squid with the config
file above, the User-Agent header is not removed, and I see no
"helperDispatch" or "helperSubmit" in the log output. Can anyone shed
some light on why external acls may not be invoked this way?
Taking a step back, my larger goal is to run an https accelerator which
accepts client-certificate authenticated requests and passes information
about the client cert to the origin server. My idea right now is to put
the client certificate CN into the User-Agent header, but if anyone has
a better idea, my current solution seems pretty hacked together. Thanks
for your help.
-tucker cunningham